Microsoft Azure Stack is an extension of Azure—bringing the agility and innovation of cloud computing to your on-premises environment and enabling the only hybrid cloud that allows you to build and deploy hybrid applications anywhere. We bring together the best of the edge and cloud to deliver Azure services anywhere in your environment.

Azure Disk Encryption solution helps protect customer data to meet their security and compliance commitments through a range of advanced technologies to encrypt, control and manage encryption keys, and audit access of data. Additionally various security requirements like key rollover and re-encryption of VMs make it more complex to maintain keys and secrets of these VMs. Azure Backup supports backup of encrypted VMs across all of these scenarios seamlessly and maintains security, privacy and sovereignty of enterprise data throughout the backup lifecycle.

Value Proposition

This feature provides:

Enhanced security: Since the keys and secrets of encrypted VMs are backed up in encrypted form, unauthorized users cannot read or use these backed up keys and secrets. Only users with right level of permissions can backup and restore encrypted VMs as well as keys and secrets.

Improved restores: Besides backing up and restoring encrypted VMs, latest keys and secrets associated with the VM are also backed up. So even if VM is restored after years and the keys are lost, the backed up version can be used to retrieve the VM. Learn more about how to restore keys and secrets using Azure Backup.

Simplified experience: With this capability, you can seamlessly backup and restore your encrypted VMs through a familiar and consistent experience.

Features

With this release, Azure Backup provides:

Backup of encrypted VMs using Key Encryption Key: The current capability supports backup of VMs encrypted using BitLocker Encryption Key (BEK) and Key Encryption Key (KEK) both. The BEK and KEK backed up will be stored in encrypted form so they can be read and used only when restored back to key vault by the right user.

Restore lost keys and secrets: Since KEK and BEK are backed up as well, users with right set of permissions will be able to restore keys and secrets, in case they are lost, back to the key vault and bring up the encrypted VM.

PowerShell: Customers can leverage Azure PowerShell to automate and perform backup and restore operations at scale.